CVE-2023-31446

CRITICAL EXPLOITED NUCLEI

Cassia Gateway firmware - Code Injection

Title source: llm

Exploitation Summary

CVE-2023-31446 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including Dodge-MPTC. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository describes CVE-2023-31446, a remote code execution vulnerability in Cassia Gateway Firmware versions <2.1.1.230309. The vulnerability arises from unsanitized input in the *queueUrl* parameter of the */bypass/config* endpoint, allowing command injection with root privileges during device startup.

Description

In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.

Exploits (1)

nomisec WRITEUP 4 stars

by Dodge-MPTC · remote

https://github.com/Dodge-MPTC/CVE-2023-31446-Remote-Code-Execution

View Code ZIP pw:eip

The repository describes CVE-2023-31446, a remote code execution vulnerability in Cassia Gateway Firmware versions <2.1.1.230309. The vulnerability arises from unsanitized input in the *queueUrl* parameter of the */bypass/config* endpoint, allowing command injection with root privileges during device startup.

Classification

Writeup 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Cassia Gateway Firmware <2.1.1.230309

No auth needed

Prerequisites: Network access to the target device · Ability to send HTTP requests to the */bypass/config* endpoint · Device reboot to trigger the payload

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1202 - Indirect Command Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cassia Gateway Firmware - Remote Code Execution

CRITICALVERIFIEDby DhiyaneshDk

Shodan: html:"Cassia Bluetooth Gateway Management Platform" || http.html:"cassia bluetooth gateway management platform"

FOFA: body="cassia bluetooth gateway management platform"

References (3)

Core 3

Core References

Various Sources

https://blog.kscsc.online/cves/202331446/md.html

Exploit, Third Party Advisory

https://github.com/Dodge-MPTC/CVE-2023-31446-Remote-Code-Execution

Product

https://www.cassianetworks.com

Scores

CVSS v3 9.8

EPSS 0.6108

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-12-21

CWE

CWE-77

Status published

Products (2)

cassianetworks/xc1000_firmware 2.1.1.2303082218

cassianetworks/xc2000_firmware 2.1.1.2303090947

Published Jan 10, 2024

Tracked Since Feb 18, 2026